Search This Blog

Showing posts with label WiFi. Show all posts

Major Vulnerabilities Found in Wireless LAN Devices in Airlines

The two major vulnerabilities were found in the series of the flexlan, a LAN device providing internet services in airlines. The Necrum security labs’ researchers Samy Younsi and Thomas Knudsen, initiated the research which led to tracking two critical vulnerabilities which were identified as CVE-2022-36158 and CVE-2022-36159. 

The vulnerabilities were detected in the Flexlan series named FXA3000 and FXA2000 and have been associated with a Japan-based firm known as Contec. 
The researchers said while considering the first vulnerability, that during the execution of reverse engineering on firmware, we found a hidden web page, which was not entailed in the list of wireless LAN manager interfaces. They also added that it simplifies the enforcement of the Linux command over the device with root privileges. The researchers mentioned that the first vulnerability gave access to all the system files along with the telnet port which allows to access the whole device.   
Regarding the second vulnerability, the researchers said, it makes use of hard-coded, weak cryptographic keys and backdoor accounts. While carrying out the research, the researchers were also able to recover and get access to a shadow file within a few minutes with the help of a brute-force attack. The file contained the hash of two users including root and users. 
The researchers explained the issue that the device owner is only able to change the password from the interface of the web admin as the root account is reserved for maintenance purposes by Contec. This allows the attacker with a root hard-coded password able to access all Flexlan FXA2000 and FXA3000 series effortlessly. 
With respect to the solutions, researchers emphasized the importance of mentioned to maintaining cyber security, with regard to the first Vulnerability. They said, “the hidden engineering web pages should be removed from all unfortified devices. As weak passwords make access easier for cyber attackers.” For the second vulnerability, the advisory commented, “the company should create new strong passwords, for every single device with the manufacturing process."

Researchers: Wi-Fi Probe Requests Leak User Data


A team of academic researchers from the University of Hamburg in Germany discovered that Wi-Fi investigation requests from mobile devices expose identifiable information about their owners via Wi-Fi investigation requests. 

When a probe response is received, mobile devices use it to obtain information about nearby Wi-Fi access points and connect to them. According to the researchers, attackers who can sniff network traffic can use these probing requests to monitor and identify devices, as well as determine their position. 

According to them, nearly a quarter of probe requests contain the Service Set Identifiers (SSIDs) of previously connected networks, which might be exploited to expose home addresses or visited places. Furthermore, the researchers highlight that the probe requests may be used to trilaterate the position of a device with an accuracy of up to 1.5 metres or to "trace the movement of a device to effectively monitor its owner.

“This is in fact employed in 23% of the stores already. Companies and cities that conduct Wi-Fi tracking take the legal position that only the MAC address contained in probe requests is considered personal data according to GDPR Article 4(1), which protects personal data from unlawful collection and processing,” the researchers stated in their paper. 

Experiment findings:

According to the academics, information gathered during a November 2021 experiment focusing on the analysis of probe requests should be sufficient to deem these queries personal data, based only on SSIDs recorded in the devices' preferred network lists (PNLs). 

As part of the trial, the researchers travelled to a pedestrian area in a German city and recorded probe requests three times in one hour using six off-the-shelf antennas. SSIDs were found in 23.2 per cent of the 252,242 total requests. 

The researchers also determined that some of the submitted probe requests with SSIDs revealed password data and that around 20% of the transmitted SSIDs were likely typos of the genuine SSID. The probe requests also revealed 106 separate first and/or last names, three email addresses, the SSIDs of 92 distinct vacation houses or lodgings, and the name of a nearby hospital. 

The academics claim that they ran all SSIDs using WiGLE's geolocation lookup API, which allowed them to determine the actual networks' locations within a 1-kilometre radius. 

The researchers added, “Considering the wealth of personal and sensitive information we observed in SSID fields, they can constitute identifying information and thus require due consideration. We argue that at least for as long as there are still devices broadcasting SSIDs, probe requests should be considered personal data and not be used for monitoring without legal basis.” 

Hardware Bugs Provide Bluetooth Chipsets Unique Traceable Fingerprints


A recent study from the University of California, San Diego, has proven for the first time that Bluetooth signals may be fingerprinted to track devices (and therefore, individuals). At its root, the identification is based on flaws in the Bluetooth chipset hardware established during the manufacturing process, leading to a "unique physical-layer fingerprint."

The researchers said in a new paper titled "Evaluating Physical-Layer BLE Location Tracking Attacks on Mobile Devices, "To perform a physical-layer fingerprinting attack, the attacker must be equipped with a Software Defined Radio sniffer: a radio receiver capable of recording raw IQ radio signals." 

The assault is made feasible by the pervasiveness of Bluetooth Low Energy (BLE) beacons, which are constantly delivered by current smartphones to allow critical tasks such as contact tracking during public health situations. 

The hardware flaws come from the fact that both Wi-Fi and BLE components are frequently incorporated into a specialised "combo chip," effectively subjecting Bluetooth to the same set of metrics that may be utilized to uniquely fingerprint Wi-Fi devices: carrier frequency offset and IQ imbalance. 

Fingerprinting and monitoring a device, therefore, includes calculating the Mahalanobis distance for each packet to ascertain how similar the characteristics of the new packet are to its previously registered hardware defect fingerprint. 

"Also, since BLE devices have temporarily stable identifiers in their packets [i.e., MAC address], we can identify a device based on the average over multiple packets, increasing identification accuracy," the researchers stated. 

However, carrying out such an attack in an adversarial situation has numerous obstacles, the most significant of which is that the ability to uniquely identify a device is dependent on the BLE chipset employed as well as the chipsets of other devices in close physical distance to the target. Other key aspects that may influence the readings include device temperature, variations in BLE transmit power between iPhone and Android devices, and the quality of the sniffer radio utilised by the malicious actor to carry out the fingerprinting assaults. 

The researchers concluded, "By evaluating the practicality of this attack in the field, particularly in busy settings such as coffee shops, we found that certain devices have unique fingerprints, and therefore are particularly vulnerable to tracking attacks, others have common fingerprints, they will often be misidentified. BLE does present a location tracking threat for mobile devices. However, an attacker's ability to track a particular target is essentially a matter of luck."

Several Palo Alto Devices Affected by OpenSSL Flaw


In April 2022, Palo Alto Networks aims to patch the CVE-2022-0778 OpenSSL flaw in several of its firewall, VPN, and XDR devices. 

OpenSSL published fixes in mid-March to address a high-severity denial-of-service (DoS) vulnerability impacting the BN mod sqrt() function used in certificate parsing, which is tracked as CVE-2022-0778. Tavis Ormandy, a well-known Google Project Zero researcher, uncovered the issue. An attacker can exploit the flaw by creating a certificate with invalid explicit curve parameters. 

The advisory for this flaw read, “The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form.” 

“It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters.” 

The bug affects OpenSSL versions 1.0.2, 1.1.1, and 3.0, and the project's maintainers fixed it with the release of versions 1.0.2zd (for premium support customers), 1.1.1n, and 3.0.2. When parsing an invalid certificate, an attacker can cause the OpenSSL library to enter an infinite loop, resulting in a DoS condition, according to Palo Alto Networks. 

“All PAN-OS software updates for this issue are expected to be released in April 2022. The full fixed versions for PAN-OS hotfixes will be updated in this advisory as soon as they are available.” as per Palo Alto Network. 

During the week of April 18, the company is expected to provide security remedies for the above vulnerability. PAN-OS, GlobalProtect app, and Cortex XDR agent software, according to Palo Alto, have a faulty version of the OpenSSL library, whereas Prisma Cloud and Cortex XSOAR solutions are unaffected. 

“We intend to fix this issue in the following releases: PAN-OS 8.1.23, PAN-OS 9.0.16-hf, PAN-OS 9.1.13-hf, PAN-OS 10.0.10, PAN-OS 10.1.5-hf, PAN-OS 10.2.1, and all later PAN-OS versions. These updates are expected to be available during the week of April 18, 2022.” continues the advisory. 

Customers with Threat Prevention subscriptions can enable Threat IDs 92409 and 92411 to limit the risk of exploitation for this issue while waiting for PAN-OS security upgrades, according to the company.

Hotel WiFi Across MENA Compromised, Private Information Leaked


Etizaz Mohsin, a Pakistani cybersecurity researcher, was in a hotel room in Qatar when he accidentally discovered a technical vulnerability in the company's internet infrastructure, compromising the personal information of hundreds of hotels and millions of tourists worldwide. 

Mohsin explained, “I discovered that there is an rsync [file synchronisation tool] service running on the device that allows me to dump the device’s files to my own computer. I was able to gain access to all other hotels’ sensitive information that was being stored on the FTP [file transfer protocol] server for backup purposes.” 

He was able to get network configurations for 629 significant hotels in 40 countries, as well as millions of customers' personal information, such as room numbers, emails, and check-in and check-out dates. Information from major hotel chains in Qatar,, Turkey, the United Arab Emirates (UAE), Saudi Arabia, Lebanon, Egypt, Bahrain, Oman, Jordan, Kuwait, and Bahrain, as well as the Kempinski, Millennium, Sheraton, and St Regis in Qatar, Turkey, the United Arab Emirates (UAE), Saudi Arabia, Lebanon, Egypt, Bahrain, Oman, Jordan, Kuwait, and Bahrain was included in the research. 

The hotels all use AirAngel's HSMX Gateway internet technology, which is a British company. Some of the world's most well-known hotel chains are among its clients. Most hotels, stores, restaurants, and cafés need guests to set up an account and fill out their personal information before they may use the internet. It does, however, have some disadvantages. 

Mohsin added, “A public WiFi network is inherently less secure than the one you use at home. It gives hackers access to critical information like banking credentials and account passwords by allowing them to monitor and intercept data transferred across the network.”

Seven years ago, researchers discovered a flaw in hotel routers that affected 277 devices in hotels and convention centres in the US, Singapore, the United Kingdom, the United Arab Emirates, and 25 other countries.

This New Russian Cyclops Blink Botnet Targets ASUS Routers


Nearly a month after it was discovered that the malware used WatchGuard firewall appliances as a stepping stone to obtaining remote access to infiltrated networks, ASUS routers have been the target of a budding botnet known as Cyclops Blink. 

The botnet's primary objective is to develop an infrastructure for additional attacks on high-value targets, according to Trend Micro, given that none of the compromised hosts belongs to vital organisations or those that have an obvious value on economic, political, or military espionage. 

Cyclops Blink has been identified by intelligence services in the United Kingdom and the United States as a replacement framework for VPNFilter, a malware that has targeted network equipment, especially small office/home office (SOHO) routers and network-attached storage (NAS) devices. 

Sandworm (aka Voodoo Bear), a Russian state-sponsored actor has been linked to both VPNFilter and Cyclops Blink. It has also been tied to several high-profile cyberattacks, including the 2015 and 2016 attacks on the Ukrainian electrical grid, the 2017 NotPetya attack, and the 2018 Olympic Destroyer attack on the Winter Olympic Games. 

The complex modular botnet, c language, affects a variety of ASUS router types, with the company admitting that it is working on a patch to handle any potential exploitation. –  
  • GT-AC5300 firmware under
  • GT-AC2900 firmware under
  • RT-AC5300 firmware under
  • RT-AC88U firmware under
  • RT-AC3100 firmware under
  • RT-AC86U firmware under
  • RT-AC68U, AC68R, AC68W, AC68P firmware under
  • RT-AC66U_B1 firmware under
  • RT-AC3200 firmware under
  • RT-AC2900 firmware under
  • RT-AC1900P, RT-AC1900P firmware under
  • RT-AC87U (end-of-life)
  • RT-AC66U (end-of-life), and
  • RT-AC56U (end-of-life)
Apart from employing OpenSSL to encrypt connections with its command-and-control (C2) servers, Cyclops Blink also includes specific modules that can read and write from the devices' flash memory, allowing it to persist and survive factory resets. A second reconnaissance module acts as a medium for exfiltrating data from the hacked device to the C2 server, while a file download component is responsible for retrieving arbitrary payloads through HTTPS. Although the exact form of initial access is unknown, Cyclops Blink has been affecting WatchGuard and Asus routers in the United States, India, Italy, Canada, and Russia since June 2019. 

A law firm in Europe, a medium-sized entity producing medical equipment for dentists in Southern Europe, and a plumbing company in the United States are among the impacted hosts. Because of the infrequency with which IoT devices and routers are patched and the lack of security software, Trend Micro has warned that this might lead to the establishment of "eternal botnets."

The researchers stated, "Once an IoT device is infected with malware, an attacker can have unrestricted internet access for downloading and deploying more stages of malware for reconnaissance, espionage, proxying, or anything else that the attacker wants to do. In the case of Cyclops Blink, we have seen devices that were compromised for over 30 months (about two and a half years) in a row and were being set up as stable command-and-control servers for other bots."

Experts Discovered 226 Security Flaws in Nine Wi-fi Routers


Security experts and editors at CHIP (a German IT) have found 226 potential security faults in nine wi-fi routers from authentic manufacturers like AVM, Netgear, Asus, D-Link, TP-Link, Linksys, Edimax, and Synology. TP-Link Archer AX6000 router was the most affected by the flaws, according to cybersecurity experts, besides this, they also found 32 flaws, along with Synology RT-2600ac with 30 defects, and Netgear Nighthawk AX12 having 29 bugs. Experts also discovered around ten vulnerabilities in Netgear Nighthawk AX12, Edimax BR-6473AX, Asus ROG Rapture GT-AX11000, Linksys Velop MR9600, AVM FritzBox 7590 AX, and AVM FritzBox 7530 AX. 

The experts analyzed these network systems with the help of IoT Inspector's security platform, which searched around 1000 CVEs and security vulnerabilities. IoT CEO Jan Wendenburg said "changing passwords on first use and enabling the automatic update function must be standard practice on all IoT devices, whether the device is used at home or in a corporate network. The greatest danger, besides vulnerabilities introduced by manufacturers, is using an IoT device according to the motto ‘plug, play and forget.” 

The most commonly found issues, according to cybersecurity researchers are out-of-date Linux kernel in the firmware, multimedia, and VPN features, existing hard-coded credentials, use of unsafe communication protocols, and weak security passwords. According to the security affairs advisory, "some of the security issues were detected more than once. Very frequently, an outdated operating system, i.e. Linux kernel, is in use. Since the integration of a new kernel into the firmware is costly, no manufacturer was up to date here. 

The device software used is also commonly found to be outdated, as it all too often relies on standard tools like BusyBox.” Experts observed that not all these faults can be compromised, false positives were also found. Experts discussed their findings with the manufacturers too, most of these vulnerabilities have been patched. Users are suggested to modify factory settings, make sure that devices install auto-updates, and stop functions that are not important.

70% of WiFi Networks in Tel Aviv were Cracked by a Researcher


In his hometown of Tel Aviv, a researcher cracked 70% of a 5,000 WiFi network sample, demonstrating that residential networks are extremely vulnerable and easy to hijack. Ido Hoorvitch, a CyberArk security researcher, first strolled about the city center using WiFi sniffing equipment to collect a sample of 5,000 network hashes for the study. 

The researcher then took the use of a vulnerability that allowed the extraction of a PMKID hash, which is typically generated for roaming purposes. Hoorvitch sniffed with WireShark on Ubuntu and utilized a $50 network card that can function as a monitor and a packet injection tool to collect PMKID hashes. 

Although Hoorvitch highlighted that this form of attack does not require such heavy-duty technology, the team deployed a 'monster' cracking rig made up of eight xQUADRO RTX 8000 (48GB) GPUs in CyberArk Labs. The attack is centered on a weakness found by Hashcat's primary developer, Jens 'atom' Steube. This bug can be used to obtain PMKID hashes and crack network passwords.

"Atom’s technique is clientless, making the need to capture a user’s login in real-time and the need for users to connect to the network at all obsolete," explains Hoorvitch in the report. "Furthermore, it only requires the attacker to capture a single frame and eliminate wrong passwords and malformed frames that are disturbing the cracking process." 

The generation and cracking of PMKs with SSIDs and different passphrases can then be used to crack PMKID hashes collected by wireless sniffers with monitor mode enabled. This data is created from the right WiFi password when a PMKID is generated that is equal to the PMKID acquired from an access point. Hoorvitch employed a conversion tool and Hashcat, a password recovery software, after sniffing out PMKID hashes with the Hcxdumptool utility. 

According to Hoorvitch, many Tel Aviv residents use their cellphone numbers as their WiFi password, thus it wasn't long before hashes were cracked, passwords were obtained, and doors to their networks were opened. Each crack on the researcher's laptop took around nine minutes in these circumstances. The team was able to break into over 3,500 WiFi networks in and around Tel Aviv. 

Despite the risk of being hacked, most consumers do not set a strong password for their WiFi networks, according to the report. Passwords should be at least ten characters long, contain a mix of lower and upper case letters, symbols, and numerals, and be unique. Keeping your router firmware up to date will also safeguard your hardware from attacks based on vulnerability exploits, according to the researcher. WAP/WAP1 and other weak encryption protocols should be disabled as well.

NSA Issues Warning Concerning Public Wi-Fi Networks


National Security Agency cautioned public servants against hackers that can benefit from public Wi-Fi in coffee shops, airports, and hotel rooms. 

NSA stated, “The Biden administration would like you to get a vaccine and wear a mask. Oh, and one more thing: It has just proclaimed that it’s time for government employees and contractors to get off public Wi-Fi, where they can pick up another kind of virus.” 

The National Security Agency released a strangely specific warning late last week cautioning that logging in for public Wi-Fi Network “may be convenient to catch up on work or check email,” in a notification to every federal employee, leading defense companies and the 3.4 million uniformed, civil and reserves personnel serving on the military. In an eight-page report, the agency describes how the click on the local coffee shop's network caused problems in a year highlighted by ransomware attacks on pipelines, meatpackers, and even police forces in Washington, DC. 

“Avoid connecting to public Wi-Fi, when possible,” the warning read, stating that even Bluetooth connections can be compromised. 

Officials affirmed that they are completely aware that it is as likely that individuals will listen to the advice as they can be fully veiled outside in a baseball game. However, the message marks a turning moment, with the nation's primary signal intelligence agency aiming to throw on the brakes after a decade in which every restaurant, hotel, or airline has experienced competing for pressures to enhance its free Wi-Fi. 

This risk is not theoretical but is openly recognized and used for various malevolent approaches. The caution lies with readers on videos showing how easy is the use of an unsecured Wi-Fi network, which demands no passwords, yet the password collecting, and mobile phone content is for hackers which they can easily take access of. 

The alert by NSA, without mentioning specific occurrences, includes a warning that criminals or foreign intelligence agencies can generate open Wi-Fi infrastructures that look like they are from a hotel or a coffee house, but certainly are “an evil twin, to mimic the nearby expected public Wi-Fi.” 

Although the sudden surge in a crime or national adversaries exploiting public internet to rob data or to orchestrate hacks did not trigger the National Security Agency's cautions, Officials said. It instead seemed to be part of a much-increased US government's efforts in recent months to make people aware of a variety of technological vulnerabilities. 

Lately, President Biden had signed an Executive Order establishing several Cybersecurity criteria for software firms that sell to the federal government. Federal agencies must implement two-factor authentication as customers receive a text message, with a code, from their bank before entering their account details.

Safeguard Your Smartphones From Radio-based Attacks


Smartphones, unlike PCs, involve a range of radios – generally cellular, Wi-Fi, Bluetooth, and Near Field Communication (NFC) – that permit wireless communication in a variety of situations, and these radios are made to remain turned on while the user moves around the world. All smartphone users should be aware of the security implications of these wireless connections. 

Security flaws in these interfaces are a matter of concern, whether built into the protocol or discovered in a particular implementation. They can enable attackers to force connections to untrusted equipment, allowing them to extract data and even gain access to the target device. According to reports, RF-based tactics are used by sophisticated nation-state actors such as Russia and China, allegedly target people traveling through airports and other chokepoints. However, the tools for RF hacking are available to garden-variety hackers as well. 

Ways attackers engage in RF hacking: 

The IMSI catcher, also known as a cell-site simulator, false cell tower, rogue base station, StingRay, or dirtbox in cellular communications, is the biggest concern. An IMSI catcher is a piece of equipment that acts like a genuine cell tower, allowing a targeted smartphone to connect to it rather than the actual mobile network. It may be done using a variety of ways, such as impersonating a neighboring cell tower or using white noise to jam the competing 5G/4G/3G frequencies. 

The IMSI catcher places itself between the targeted smartphone and its cellular network after capturing the IMSI of the targeted smartphone. (the ID number connected to its SIM card). The IMSI catcher is then used to track the user's position, collect data from the phone, and, in some circumstances, even install spyware on the device. 

Unfortunately, there's no guaranteed method for the ordinary smartphone user to see or know they're connecting to a fraudulent cell tower, but there may be some hints: a notably slower connection or a change in a band in the phone's status bar. 

Though 5G in standalone mode promises to make IMSI catchers obsolete since the Subscription Permanent Identifier (SUPI) – 5G’s IMSI equivalent – is never exposed in the handshake between smartphone and cell tower. However, because these deployments account for a small percentage of all cellular networks, IMSI catchers will continue to be successful in the vast majority of situations in the near future. 

A Karma attack performed via a rogue access point is a critical danger to be mindful of on the Wi-Fi front. A rogue access point is often a Wi-Fi penetration testing device – the Wi-Fi Pineapple is one popular model – that is set up to attract unsuspecting users rather than auditing Wi-Fi networks. 

In a Karma attack, the rogue AP compromises a basic feature of smartphones and all Wi-Fi-enabled devices. When a smartphone's Wi-Fi is turned on but not connected to a network, the rogue AP broadcasts a preferred network list (PNL), which includes the SSIDs (Wi-Fi network names) of access points to which the device previously connected and is willing to reconnect to automatically without user intervention. 

The rogue AP provides itself an SSID from the PNL after getting this list, fooling the smartphone into thinking it's connected to a known Wi-Fi network. An intruder can spy on network traffic to acquire sensitive data after the targeted smartphone connects. This sort of attack is difficult to detect without continually monitoring the Wi-Fi indicator in the status bar. 

Bluetooth exploits: Instead of relying on constraints inherent in the protocol's standard operating procedures, attackers use particular weaknesses inside the protocol or its implementation to carry out an attack. Bluetooth is a very lengthy and complicated standard, which means there are more possibilities for flaws to arise in the protocol's code as well as for developers to make mistakes in their implementations. 

BlueBorne is a strong example of the damage that a Bluetooth-based assault may do. The BlueBorne vulnerabilities, first disclosed in 2017 and mainly fixed since then, are an attack vector that allows attackers to gain total control of a target device without having to pair with it or even having the device in discoverable mode. Bluetooth has enhanced privileges on nearly all operating systems, with components ranging from the hardware level to the application level, allowing for such control. 

Lastly, NFC is a technology that allows for payment between a smartphone and a retailer's terminal. Due to its limited range (approximately a mile), and fewer use cases, NFC attacks are possible. A malicious NFC tag on an Android device, for example, might immediately launch a malicious site in the user's browser if the device is unlocked. Weaponizing a malicious tag on iOS demands some social engineering, as a popup notifies the user that the tag wants to open a certain app; for example, in a transit station, the tag may request that the user open the most recent train timetable in their browser. 

Techniques to minimize risks: 

Although radio-based assaults on smartphones are frequently undetectable to the user and fall beyond the realm of most mobile security solutions, there are a few steps a user can take to protect their smartphone and data. 

Turning off radios (especially Wi-Fi and Bluetooth) while not in use or when in public is the most effective. If the smartphone permits it, disable 2G functionality to reduce the danger of IMSI catchers. Turn off auto-join for hotspots on Wi-Fi. Install security updates for Bluetooth as soon as they become available to ensure that any known Bluetooth flaws are addressed. 

If one often goes through chokepoints or known hostile regions, they should consider investing in a high-end Faraday case to protect against RF assaults (Faraday bags are generally inadequate against strong signals). The radios in smartphones are a crucial component of why these gadgets are so popular. People can escape being easy targets for the evil people with a little bit of knowledge and aggressive resistance against their misuse.

Low-Risk iOS Wi-Fi Naming Issue can Compromise iPhones Remotely


According to recent research, the Wi-Fi network name issue that entirely disabled an iPhone's network connectivity had remote code execution capabilities and was discreetly patched by Apple earlier this year. 

On Monday, Apple released iOS 14.7 for iPhones, which includes bug fixes and security improvements as well as a remedy for the Wi-Fi denial-of-service issue. However, the company has not yet provided security information that may suggest whether its vulnerability has been fixed. 

The denial-of-service vulnerability, which was discovered last month, was caused by the way iOS managed string formats associated with the SSID input, causing any up-to-date iPhone to crash when connected to wireless access points with percent symbols in their names, such as "%p%s%s%s%s%n." 

While the problem could be solved by resetting the network settings (Settings > General > Reset > Reset Network Settings), Apple is likely to provide a fix in iOS 14.7, which is currently accessible to developers and public beta testers. 

Researchers from mobile security automation business ZecOps discovered that the same flaw could be abused to accomplish remote code execution (RCE) on targeted devices by simply adding the string pattern " % @" to the Wi-Fi hotspot's name, which may have had far-reaching repercussions. 

The issue was termed "WiFiDemon" by ZecOps. It's also a zero-click vulnerability as it allows a threat actor to infect a device without needing user interaction, however, it does necessitate that the setting to automatically connect Wi-Fi networks is enabled (which it is, by default). 

"As long as the Wi-Fi is turned on this vulnerability can be triggered," the researchers noted. "If the user is connected to an existing Wi-Fi network, an attacker can launch another attack to disconnect/de-associate the device and then launch this zero-click attack." 

"This zero-click vulnerability is powerful: if the malicious access point has password protection and the user never joins the Wi-Fi, nothing will be saved to the disk," the company stated. "

After turning off the malicious access point, the user's Wi-Fi function will be normal. A user could hardly notice if they have been attacked.

The RCE variant was discovered to be exploitable in all iOS versions before iOS 14.3, with Apple "silently" fixing the problem in January 2021 as part of their iOS 14.4 release. The vulnerability was not issued a CVE identifier. 

Given the vulnerability's exploitability, iPhone and iPad owners must update to the most recent iOS version to reduce the risk associated with the flaw.

This iPhone Bug Exists Even After Network Settings Reset


Two weeks after the iphone wifi bug was found, the same cybersecurity analyst Carl Schou discovered a similar different case. The expert in a tweet said that if an iPhone comes within a wifi network range called ‘%secretclub%power,' then the connected iphone wouldn't be able to use wifi or any other features related to it. The bug exists even if the user resets network settings, says Schou. 

9TO5Mac reports "Obviously, this is such an obscure chain of events that it is highly unlikely that any person accidentally falls into this unless a load of Wi-Fi pranksters suddenly pop up in the wild with open Wi-Fi networks using the poisoned name. Until Apple fixes this edge case in a future OS update, just keep an eye out for any Wi-Fi networks with percent symbols in their name." The only solution to fix the bug would be a factory reset of the iphone. 

However, the experts advise not to do it as it is not tested. The earlier problem was related to iPhones facing a network name with the SSiD “%p%s%s%s%s%n," however, the issue could be fixed by simply resetting the iphone in the network settings option. But the new problem has more threat as it can affect any device which comes into the range of the infected public wifi named 'secretclub%power.' However, it is clear that both the bugs are somewhat related as ‘%secretclub%power’ and ‘%p%s%s%s%s%n' exploit string format code vulnerability which lies somewhere in the iOS network stack. Schou tweeted "You can permanently disable any iOS device's WiFI by hosting a public WiFi named %secretclub%power. Resetting network settings is not guaranteed to restore functionality." 

As of now, it is clear that there exist many variants of network name bugs that use ‘%s’, ‘%p’, and ‘%n’ character sequences. From the user's perspective, the best way to stay safe from the bug is to avoid connecting your device to wifi networks that contain '%' symbols in their names. iOS users can only wait for the next update when Apple will fix the OS bug. "Here’s a funny bug: a security researcher has found that a carefully crafted network name causes a bug in the networking stack of iOS and can completely disable your iPhone’s ability to connect to Wi-Fi," reported 9TO5Mac previously.

Smart Plugs Used by Cyber Criminals to Break into Victims Property


Inexpensive intelligent connectors are a big threat to cybersecurity and can effectively be used by cybercriminals to hack anyone’s device or even gain entry to their residences, experts say. 

Usually, modern Internet-based devices can send data (using HTTPS) with stronger passwords and follow the appropriate safety practices using encrypted channels. Techradar reports that Sonoff and Ener-J smart plugs worked the opposite and that a large security issue was ready to be exploited. 

The security firm A&O IT Group documented its security analyses of two smart plugs, Sonoff S26 and Ener-J Wi-Fi, that are cheap and easily available at large. 

These smart connectors, which the customers will be able to purchase for just 10 dollars on Amazon, eBay, and AliExpress, can also be used to gain access to the Wi-Fi network of the targets by the hackers. This is because the router is communicated through port 80 via these devices, as well as because they have failed factory credentials, to send unencrypted HTTP traffic.

As soon as the attackers get Wi-Fi passwords, they can log in to the target network and do all sorts of activities from it: video and audio received from porters, insecure smart devices being regulated, confidential data downloaded, or even traffic monitoring from many other devices. 

They may also use Wi-Fi to download illicit information from the internet or undertake attacks on computers of other users that have little risk of getting caught. This is particularly important if the victim has items such as smart door locks, or video surveillance on the very same network. In this case, an intruder already knows how long the citizens are out and may even break into the property. 

The A&O IT Group says it has both reported vulnerabilities to Sonoff and Ener-J, but it has yet to receive any company's reports. 

To mitigate this issue, expertise from CNX Software suggests the fastest way is to set up a Guest SSID for IoT devices to prevent the sharing of the same network by other important devices. 

The most recent report on users of Eufy safety cameras that were later fixed in security feeds and the smart plug vulnerabilities that remind users that network security rests on the safety of all connected devices — something that users must remember when having smart doors, smart cameras, or other sensitive devices when using the same network.